Rishikesh Ranjan — rishikeshranjan.com

// open source & systems

SkillLedger

Supply-chain integrity for AI skills — Sigstore keyless signing, a Tessera transparency log, and OPA policy gates, in a Dockerized service + log + Postgres stack.

Creator2026GoPythonFastAPITypeScriptSigstoreOPAPostgreSQLDocker

As agents install third-party skills, provenance becomes a real supply-chain problem: who signed this skill, and can you prove it wasn't tampered with? SkillLedger brings the guarantees of modern software supply-chain security to AI skills.

What it does

  • Keyless signing. Sigstore-based identity signing — no long-lived keys to leak or rotate.
  • Transparency log. A Tessera append-only log makes every publish tamper-evident and auditable.
  • Policy gates. OPA policies decide what may run — enforced before a skill is trusted, not after.
  • Dockerized stack. Service, transparency log, and Postgres ship together as a reproducible stack.